A wireless local area network (WLAN) generally includes one or more access points (APs) designed to communicate with wireless client devices. As the number of APs increases, the network can become difficult to manage. To help alleviate this problem, a master controller (also referred to as a “wireless switch”) can be added to the network. Each wireless switch has a number of ports which allow the wireless switch to be coupled to multiple APs. A wireless switch controls some or all of the APs in the network, and data going to or from the APs flow through the wireless switch. Moreover, the access points can then be simplified by performing many of the functions of a conventional access point at the wireless switch. These simplified access points are referred to herein as “access ports” to differentiate them from conventional access points.
A firewall is network element that is normally placed at a boundary between a protected network and an unprotected network, and is used to regulate flows of network traffic (i.e., communications) between the networks to prevent network intrusion to the protected network. A firewall can be implemented in either hardware or software running on a computer, or a combination of both. A firewall acts like a gate that ensures that nothing private goes out and nothing malicious comes in. A firewall is designed to inspect all network traffic passing through it (i.e., entering or leaving a protected network), and to deny or allow passage of the traffic based on a set of policies or filtering rules. These policies describe what traffic is authorized (and allowed to pass through the firewall) and what traffic is unauthorized (and will be blocked if it does not meet the specified security criteria). Based on these policies, a firewall can be configured to permit or deny all inbound and outbound traffic between two or more security domains.
In general, firewalls can be classified as being either a stateful firewall or a stateless firewall.
A stateless firewall refers to a firewall that treats each network frame (or packet) in isolation. A stateless firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet
By contrast, a stateful firewall refers to a firewall that keeps track of the state of each connection (such as Transmission Control Protocol (TCP) streams, and User Datagram Protocol (UDP) communication) traveling across it in memory, and that performs stateful packet inspection (SPI) to distinguish legitimate packets for different types of connections. The state of the connection can include such details as the Internet Protocol (IP) addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. For protocols that use multiple connections (e.g., the file transfer protocol (FTP) or the session initiation protocol (SIP)), a stateful firewall maintains a table of open connections and intelligently associates new connection requests with existing legitimate connections. When a client initiates a new connection, it sends a packet with a synchronization (SYN) bit set in the packet header. All packets with the SYN bit set are considered by the firewall as new connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN bit and the acknowledgement (ACK) bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the established state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an established connection, ensuring that hackers cannot start unsolicited connections with the protected machine. After setup of the connection all packets thereafter (for that session) are processed rapidly due to the simplicity and speed of determining whether each packet belongs to an existing, pre-screened session. By keeping track of the connection state, stateful firewalls provide added efficiency in terms of packet inspection. This is because for existing connections the firewall need only check the state table, instead of checking the packet against the firewall's rule set, which can be extensive. Only packets matching a known connection state will be allowed by the stateful firewall; others will be rejected. Once the session has ended, its entry in the state-table is discarded.
To enhance network security, a firewall can be implemented at an access point or at a wireless switch. Such firewalls can implement access control lists (ACLs) and/or stateful firewall policies to control what traffic is allowed to flow through a network. For example, some wireless switches and access points (APs) implement preferred ACLs. Because ACLs are stateless, APs don't have to worry about sharing firewall session information across APs when a user roams from one AP to another. However, this comes at the cost of security since ACLs may cause the opening up of a network much more widely than a stateful firewall.
Some wireless switches and APs implement stateful firewall policies that maintain session state information such as for TCP, UDP, Internet Control Message Protocol (ICMP), Internet Group Management Protocol (IGMP), and the like. Stateful firewall policies can provide better security protection than ACLs. For example, when a wireless client device roams between two APs managed by the same wireless switch all traffic flows through the wireless switch. However, when a wireless client device roams between two APs managed by two different wireless switches large amounts of session information must be synchronized between the different wireless switches.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments.
The apparatus and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the embodiments so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.